Managing roles

Use the Roles tree to define and maintain administrative roles and their associated console rights. Console rights are based on Management Suite features. For example, you can create a help desk role and give it the remote control right.

You can add as many additional roles as you need. New roles aren't automatically assigned to any user groups. Once you create a role, you associate it with a user group in the Group Permissions tree.

Since you can assign multiple roles to a group of users, decide how you want to assign rights. You can either assign rights based on a job description, such as "help desk," or you can assign rights based on console feature, like "remote control." Depending on the number and variety of console users your organization may have, one way may work better than the other.

To create a role
  1. In the Users tool, right-click Roles and click New role.
  2. In the New role dialog, enter a Role name.
  3. Enable or disable the rights you want by clicking on the symbol in the appropriate column. Each click toggles the right's state.
  4. Check the device scope you want associated with the role.
  5. Set any remote control time constraints that you want.
  6. Click Save.

Understanding rights and states

There are four types of rights a user can have:

Not all rights support all types. For example, the "Public query management" right can only have the "Edit public" type. It wouldn't make sense to also have the "View," "Edit," or "Deploy" types.

There are three states a right can have:

Clicking on a checkmark or an X will toggle its state.

If users have no rights for a tool, they won't see the tool when they log into the console. The tool won't appear in the Toolbox or in the Tools menu.

The Scheduled tasks tool is only visible to users who have a "Deploy" right, and in that case, they can only work with tasks associated with the tool they have deploy rights for. All other tasks are read-only.

Understanding the default roles

There are three default roles under the Roles tree. You can't edit or delete these default roles:

LANDesk Administrators have full rights to all scopes and rights. They also have full access to the Users tool and can make any changes they want. Only users with the Administrator right can configure LANDesk services running on the core.

For more information on the reporting roles, see Reports.

Understanding the "Edit public" right

A tool's Public group is visible to all users. Items in the public group are read-only, unless you have the "Edit public" right. Users that have "Edit public" rights on a feature can only edit public items for that feature. Other public items will be read-only. Read-only items are still useful, since users can copy those items to the "My ..." tree group and edit them there.

The Scheduled tasks tool's Public group works slightly differently. All tasks in the Public group are visible to users with a "deploy" right, including tasks for features users may not have access to. However, only tasks that users have a "Deploy" right for are editable. The rest are read-only.

If you have "Edit Public" and "Deploy" right types, you can create new tasks in the Public group as well as add/remove tasks from it.

Using remote control and time constraints

When creating a role, you have the opportunity to also define remote control time constraints. These time constraints limit the hours and days console users can initiate remote control sessions. When you enable time constraints, specify the days of the week, the starting time (in UTC format) and duration for the period of time that you want to allow remote control.

Note that the starting time is in UTC (Coordinated Universal Time or Greenwich Mean Time) format. The core server determines the starting time by checking the UTC time reported by the core server's operating system. The core server doesn't adjust for the console users' local time zone. When entering the starting time value, you need to compensate for the difference between UTC time and the console operators' local time zone and use the resulting adjusted time.

NOTE: Remote control integrated security only works with scopes that are directly included in the role granting remote control privileges.